Security

Security is one of the primary considerations in all aspects of BoardSpot. If you have any questions after reading this, or encounter any issues, please let us know.

HTTPS and HSTS for secure connections

BoardSpot forces HTTPS for all services using TLS (SSL), including our public website and the application.

We regularly audit the details of our implementation: the certificates we serve, the certificate authorities we use, and the ciphers we support. We use HSTS to ensure browsers interact with BoardSpot only over HTTPS.

Encryption of data

All files are stored encrypted with AES-256 on AWS S3 servers, and are exclusively transmitted across secure connections.

Storage of Credit Card Information

All credit card and related sensitive information is managed by Stripe. From Stripe (4/25/2019):

All card numbers are encrypted at rest with AES-256. Decryption keys are stored on separate machines. None of Stripe’s internal servers and daemons are able to obtain plaintext card numbers; instead, they can just request that cards be sent to a service provider on a static whitelist. Stripe’s infrastructure for storing, decrypting, and transmitting card numbers runs in separate hosting infrastructure, and doesn’t share any credentials with Stripe’s primary services (API, website, etc.).

Vulnerability disclosure

Our security team rapidly investigates all reported security issues. If you believe you’ve discovered a bug in BoardSpot's security, please get in touch at security@boardspot.com. We will respond as quickly as possible to your report. We request that you not publicly disclose the issue until it has been addressed by BoardSpot.